Bug 44471

Summary: Missing NULL check of the return value of platform_get_resource() in function tmiofb_probe()
Product: Drivers Reporter: RUC_Soft_Sec (rucsoftsec)
Component: Video(Other)Assignee: Alan (alan)
Status: RESOLVED CODE_FIX    
Severity: normal CC: alan, florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.39 Subsystem:
Regression: No Bisected commit-id:

Description RUC_Soft_Sec 2012-07-11 13:09:17 UTC 
In function tmiofb_probe() at drivers/video/tmiofb.c:680, the call to platform_get_resource() at line 684, 685 and 686 may return a NULL pointer, thus variables ccr, lcr and vram may refer to NULL. So an invalid memory access may be triggered when variable vram is dereferenced at line 721, as there is no checking of variable vram against NULL. It's the same with variable lcr at line 725 and with variable ccr at line at line 731.
The related code snippets in tmiofb_probe() are as following.
tmiofb_probe() @@drivers/video/tmiofb.c:684
 684        struct resource *ccr = platform_get_resource(dev, IORESOURCE_MEM, 1);
 685        struct resource *lcr = platform_get_resource(dev, IORESOURCE_MEM, 0);
 686        struct resource *vram = platform_get_resource(dev, IORESOURCE_MEM, 2);
    ...
 721        info->fix.smem_start = vram->start;
    ...
 725        info->fix.mmio_start = lcr->start;
    ...
 731        par->ccr = ioremap(ccr->start, resource_size(ccr));
 732        if (!par->ccr) {
 733                retval = -ENOMEM;
 734                goto err_ioremap_ccr;
 735        }


Generally, the return value shall be checked against NULL before used. Like the folloing codes from file drivers/video/sm501fb.c.
sm501fb_start() @@drivers/video/sm501fb.c:1533
1533        res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
1534        if (res == NULL) {
1535                dev_err(dev, "no resource definition for registers\n");
1536                ret = -ENOENT;
1537                goto err_release;
1538        }
1539
1540        info->regs_res = request_mem_region(res->start,
1541                                            resource_size(res),
1542                                            pdev->name);


Thank you

RUC_Soft_Sec
Comment 1 RUC_Soft_Sec 2012-08-14 13:36:36 UTC 
I am sorry to trouble, but I want to make sure whether this a real bug or a false positive.

Thank you

RUC_Soft_Sec
Comment 2 Alan 2012-08-15 21:52:34 UTC 
Its kind of a bug but it could only occur if the in kernel device create for the node was broken too. So not really a bug proper
Comment 3 Florian Mickler 2012-10-15 20:46:52 UTC 
A patch referencing this bug report has been merged in Linux v3.7-rc1:

commit 40dc23aa82d51147a24f659a7c006ae4bb14009a
Author: Alan Cox <alan@linux.intel.com>
Date:   Tue Jul 24 13:43:48 2012 +0100

    tmiofb: missing NULL pointer checks